06B – DATA INCIDENTS AND LITIGATION Jeffrey L. Poston Partner Crowell & Moring, LLP.

Slides:



Advertisements
Similar presentations
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Advertisements

Hot Topics in Privacy & Security Law Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
Kit Robinson Director Data Loss Prevention and HIPAA.
The Center for a Changing Workforce 1 Everyday Low Benefits: Health Insurance in the Age of Wal-Mart The Center for a Changing Workforce Seattle, WA.
Addition Facts
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Workplace Occupational Health, Safety and Security
Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
Eight Strategies to Reduce Your Risk in the Event of A Data Breach Sheryl Falk December 10, 2013.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
What you need to know about Tech E&O Claims & Information Risk.
1 CONTRACT RISK MANAGEMENT: Strategies and Tactics J. Scott Hommer, III Venable LLP 8010 Towers Crescent Drive, Suite 300 Vienna, Virginia (703)
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
1 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18, 2008 The Current Reality of HIPAA Meredith L. Borden Venable LLP © April 18,
Dr. Don Lloyd Cook Gill Ragon Owen, PA.  Practicing law in AR since 1989  Virginia Tech, Ph.D. in Marketing ◦ Virginia Tech Congressional Fellow in.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.
The Zero Hour Phone Call How to Respond to a Data Breach to Minimize your Legal Risk Sheryl Falk April 4, 2013 © 2013 Winston & Strawn LLP.
Responding to a Data Security Breach
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.
Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.
IT Security Challenges In Higher Education Steve Schuster Cornell University.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.
Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.
NEFEC - Cyber Liability MICHAEL GUZMAN, ARM ARTHUR J. GALLAGHER & CO.
Overview of Cybercrime
ACC-SoCal In-House Counsel Conference #IHCC14 January 29, 2014 Anaheim, California Sponsored by Crowell & Moring LLP Panelists: Jeffrey L. Poston,
AUGUST 25, 2015 Cyber Insurance:
Presented by David P. Schack, Partner June 29, 2006 Insurance Coverage For Multi- State Investigations: Can You Get Your Insurer to Pay for.
Cyber Security Nevada Businesses Overview June, 2014.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Cyber-insurance coverage: do you have it? Robert E. Sumner, IV, Esq. and Tosh Siao of Willis Group September 17, 2015.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
A PM’s Guide to Surviving A Data Breach. Compliance: PCI QSA and PCI Gap Analysis FISMA HIPAA SSAE 16 GLBA, Red Flags Response Incident Response and Disaster.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Intellectual Property. Confidential Information Duty not to disclose confidential information about a business that would cause harm to the business or.
Data Security for Lawyers: What You Need to Know
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
CYBER RISK INFORMATION CFO Division Office of Risk Services November, 2010.
HOW TO AVOID COMMON DATA BREACH PITFALLS IAPP Privacy Academy 2014.
The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.
Cyber Liability: New Exposures Presented by: Henriott Group © 2007, , Zywave Inc. All rights reserved.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Cyber Insurance Overview July 30, 2016 Wesley Griffiths, FCAS International Association of Black Actuaries.
Cyber Liability Insurance for an unsecure world
Breaking Down Cyber Liability
Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.
Financial Institutions – Cyber Risk
E&O Risk Management: Meeting the Challenge of Change
Managing a Cyber Event Steven P. Gibson President
Cyber Insurance Overview
Chapter 3: IRS and FTC Data Security Rules
Cyber Trends and Market Update
Information Security Law Update
Forensic and Investigative Accounting
Cyber Security: What the Head & Board Need to Know
Anatomy of a Common Cyber Attack
School of Medicine Orientation Information Security Training
Presentation transcript:

06B – DATA INCIDENTS AND LITIGATION Jeffrey L. Poston Partner Crowell & Moring, LLP

TYPES OF INCIDENTS Cyber-Hacking Employee/Vendor Negligence – Lost laptop – Inadvertent transmission Employee/Vendor Theft 2

BREACH RESPONSE ISSUES 3 Loss/Theft of Data Individual Student Notification Insurance Coverage OCR/HIPAA State AG Enforcement Class ActionsLaw Enforcement Trade Secret Theft Business Reputation Vendor Involvement/ Indemnity Internal Investigation/ Forensics

RECENT UNIVERSITY BREACHES Coordinated Attack – 10/13: hackers infiltrated over 50 universities and published sensitive information online, including names, addresses, and user names and passwords. Phishing Scam – 10/13: phishing scam resulted in the breach of over 3000 individuals’ personal information. University employees inadvertently gave hackers access to protected health information. 4

RECENT UNIVERSITY BREACHES (cont’d) Unauthorized Access – 8/13: incident at a Midwestern school resulted in unauthorized access to records (including SSNs) of over 60,000 individuals. School is providing credit monitoring services for 1 year. Cyber Attack – 7/13: hackers accessed data of 80,000 university employees through defect in vendor software. University is providing credit monitoring services for 1 year. 5

REGULATORY ACTION Health and Human Services – College and University Hospitals hit with HIPAA fines in 2013: A state university in the Northwest settled with HHS for $400, A private university in California experienced a breach with 13,000 compromised records A public university in the Midwest experienced a breach of over 3000 medical records 6

REGULATORY ACTION (cont’d) State Breach Notification – Expanded definition of Protected Information in California Includes login information, addresses, and security questions 46 states have breach notification laws – Different timeframes – Subject to enforcement actions and files – Disparate state reporting requirements 7

LITIGATION THREAT Springer v. Stanford University – Medical data for 20,000 emergency room patients accidentally sent to a job applicant – Applicant then posted the information online – Information exposed for over a year – $20 million class action suit, pending in Superior Court of the State of California, County of Los Angeles 8

LITIGATION THREAT (cont’d) Gross v. University of Hawaii – 5 alleged data breaches at 4 different University institutions from 2009 – – 96,000 individuals affected – Settled in 2012; credit protection services to affected individuals for two years. 9

Litigation Threat – Cont’d UCLA v. Superior Ct of LA County – Over 16,000 patient records allegedly compromised by theft of hard drive – Damages sought totaled $1,000 per patient, or over $16 million – California State Court of Appeals, 2 nd District, dismissed the case on October 15, 2013 – Healthcare providers not necessarily liable for stolen or misappropriated medical data absent a showing that the data was accessed by an unauthorized person 10

LITIGATION THREAT (cont’d) Bombardieri v. Emory Healthcare – Emory University allegedly lost 10 discs containing patient information and some Social Security Numbers. – Allegation of 300,000 compromised records – Damages sought totaled $200 million, or $1,000 per patient. – Case disposed (dismissed) by Superior Court of Fulton County Georgia in

CYBER ESPIONAGE Research universities as targets – Defense / Homeland Security development grants – Patents and intellectual property Unique problems facing universities: – Open and collaborative work environment – Foreign professors / students – Foreign travel 12

CYBER ESPIONAGE (cont’d) By the numbers: – One public university in the Midwest reports 90,000 – 100,000 illegal attempts to gain access to the network per day originating largely from China – A California university reports millions of attempts per week – All Universities are reporting an exponential growth in the number of attacks and in their sophistication 13

HOW TO MANAGE CRISIS WHEN PII COMPROMISED 1.DO NOT SWEEP UNDER THE RUG 2.BE PREPARED – Breach Response Plan GC’s Office Privacy Office IT Media Relations Training/Policies to ensure incident reported up the chain 3.INVOLVE IN-HOUSE/OUTSIDE COUNSEL IMMEDIATELY – Can assert privilege to maximum extent possible – Assert privilege over outside consultants – Use counsel to conduct employee interviews – Assess claims vs. vendors – Assess need for law enforcement – Strategize for long run 14

HOW TO MANAGE CRISIS WHEN PII COMPROMISED ( CONT ’ D ) 4.INVESTIGATE – Physical – Forensics – What data? – Whose data? – Access to vendors – JDA 5.MITIGATE/REMEDIATE – Can you recover data? – Can you forensically prove data not accessed? – If technical cause, can’t be fixed – First hours critical 15

HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d) 6.NOTIFICATION ISSUES – HIPAA/OCR? – State breach notification laws – FERPA 7. HERE COME THE REGULATORS – Be proactive with regulators – Establish relationship/bring them in the loop 8. INVOLVE CORPORATE COMMUNICATIONS – States require certain content in notification letters – Speak with one consistent voice 16

HOW TO MANAGE CRISIS WHEN PII COMPROMISED (cont’d) 9.VENDOR ISSUES – JDA – Who is notifying students etc.? – Indemnity – Tolling Agreement 10.INSURANCE ISSUES – Report incident – What kind of policy? – CGL – Standard cyber policy 17

EMERGING LITIGATION ISSUES Typical Claims – Negligence – Breach of Contract – Unfair Trade Practices – Breach of Privacy – State Statutes Threshold issues – Standing to sue (Federal Court) – Actual injury or harm (common law claims) 18

EMERGING LITIGATION ISSUES ( CONT ’ D ) Class Certification Issues – Rare (dismissal or settlement) – Claims often turn on individualized issues or causation and damages – Thus common questions of law and facts do not predominate over questions affecting individual members. Damages – Aggregate exposure to nominal damages – Due process violation? 19

TYPICAL SETTLEMENTS Non-monetary relief (e.g., credit monitoring) Monetary payments to privacy non profits (e.g., Privacy Rights Clearinghouse) Consent decree requiring security improvements Attorneys fees to plaintiffs’ counsel Capped individual payments to plaintiffs who can prove causation 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.